I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
Here is how it's working now:
1. Machine authenticates to ACS and assigned to a Vlan
2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?
As as alternative to this, how can I not use machine authentication, get an IP address that is restricted (to prevent spread of viruses), and then obtain a proper IP through a Vlan if the user is authenticated successfully? I know I can set the switchport to a vlan and the PC will use that until the user is authenticated but then a PC could easily spread a virus.
I tested not using machine auth and it picked up a guest vlan IP and then when I logged into the domain, it was put in a full access vlan but the IP address never renewed.
See prior post on getting supplicant to realize that it needs to renew an IP stack if need be. This would be the same issue.
In general, proceed with caution here WRT 802.1X and viruses. Authentication alone does not necessarily assume trustworthiness.
To enable the machine to specifically renew it's IP stack when a VLAN has been assigned, then you need KB826942 (assuming there's a Win2k equivalent).
Third party supplicants can do this too (Meetinghouse supports it).
If your VLAN architecture already supports VLANs by dept, then the ability to dynamically assign them to ports via 802.1X should be backward compatible with this.
ACS can recognize computer OUs. Just needs a group for them. By default, the AD group would be "Domain Computers", I presume.
So, you could do:
machine-auth (if needed)
user-auth (if needed)
And assign a vlan to either/both of the above. As an example, some have chosen to do ONLY machine-auth + VLAN assignment if the directory infrastructure isn't a shared desktop environment.
Just really depends on the requirements ..
Hope this helps,
Thanks for the info on the patch and meetinghouse. I couldn't find anything on a Win2K patch so this might not be an option without a client which I don't really want to add to the other numerous clients PCs run.
I did setup a computer group and assigned my test PC to it. I mapped it to an ACS group and machine auth worked exactly as it should.
But, when user auth comes along and I don't have a Vlan specified in ACS for the group that user is in, it changes the switch port to whatever the default is in the config. It doesn't keep it in the vlan that the machine was assigned to during it's auth. Is this expected? Is there a way to do machine auth but not user auth using Windows? Otherwise this won't work without a client to change the IP because the Vlan a machine is in and vlan a user is in might not always be the same.
In the machine-auth + user-auth scenario,do you mean the machine and the user can belong to a different AD security group?
Based on our testing, if the user logs on the domain using a username/password pair in group A other than the machine(say in group B). The authenticator(precisely speaking the ACS) will fail the dot1x authentication and the port will be in connecting-authenticating-responding-unauthorized-idle loop even though the "auth-fail-vlan" feature is enabled.
By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
Note: A good way to troubleshoot this is to notice it in action via show command:
Here's an example of what you should see on a switch port.
AuthSM State = State of the 802.1X Authenticator PAE state machine
AUTHENTICATED -- Auth Succeeded
AUTHENTICATING -- Auth is attempting
CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
HELD -- Auth probably failed.
BendSM State = State of the 802.1X back-end authentication state machine
IDLE -- Nothing is happening.
REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
Hope this helps,
Thanks for a clear explanation.
So you mean that it will work if a user(in AD Group A) logs in to a machine(in AD Group B)?
Before GINA, the switch port will in authenticated state and be put in VLAN B. After GINA, the switch port will be back to autheticating state and be put in VLAN A if the user passes the authentication?
Correct. It sounds like your use-case would be:
IF machine-auth enabled, THEN machine-auth.
IF successful, then enable port and place into VLAN.
ELSE, access denied.
IF user-auth enabled, AND EAPOL-Starts enabled, THEN user-auth.
IF successful, then leave port enabled, and place into new VLAN.
ELSE, access denied.
Hope this helps.
QRDCS01ACC01> (enable) show port dot1x 1/48
Port Auth-State BEnd-State Port-Control Port-Status
----- ------------------- ---------- ------------------- -------------
1/48 authenticating response auto unauthorized
Port Port-Mode Re-authentication Shutdown-timeout Control-Mode
----- ------------- ----------------- ---------------- ---------------
1/48 SingleAuth disabled disabled Both Both
Port Posture-Token Critical Termination action Session-timeout
----- ------------- -------- ------------------ ---------------
1/48 - NO NoReAuth -
I would look into why the supplicant isn't replying back to the switch request for EAP-data in a timely manner.
I doubt it's packet loss ;-).